CN112822184B - Unsupervised autonomous attack detection method in endogenous security system - Google Patents

Unsupervised autonomous attack detection method in endogenous security system Download PDF

Info

Publication number
CN112822184B
CN112822184B CN202011633568.9A CN202011633568A CN112822184B CN 112822184 B CN112822184 B CN 112822184B CN 202011633568 A CN202011633568 A CN 202011633568A CN 112822184 B CN112822184 B CN 112822184B
Authority
CN
China
Prior art keywords
node
sensor
graph
module
nodes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011633568.9A
Other languages
Chinese (zh)
Other versions
CN112822184A (en
Inventor
方兰婷
胡爱群
李涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Network Communication and Security Zijinshan Laboratory
Original Assignee
Network Communication and Security Zijinshan Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Network Communication and Security Zijinshan Laboratory filed Critical Network Communication and Security Zijinshan Laboratory
Priority to CN202011633568.9A priority Critical patent/CN112822184B/en
Publication of CN112822184A publication Critical patent/CN112822184A/en
Application granted granted Critical
Publication of CN112822184B publication Critical patent/CN112822184B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an unsupervised autonomous attack detection method in an endogenous security system, which comprises the steps of constructing a dynamic graph model of nodes and logic relations in a target network, encoding the graph model into hidden vectors, initializing subgraphs and each node based on the hidden vectors, generating edges between the nodes through two strategies of node selection and node expansion, and repeating the steps until decoding reconstruction is finished. And calculating the reconstruction accuracy, judging that the target network is attacked if the reconstruction accuracy is smaller than a threshold value, positioning the attacked area in a graph matching mode for the condition of judging that the target network is attacked, and returning a judgment result.

Description

Unsupervised autonomous attack detection method in endogenous security system
Technical Field
The invention relates to the technical field of computer network communication, in particular to an unsupervised autonomous attack detection method in an endogenous security system.
Background
The traditional security defense is usually independently developed in specific fields of anti-malware, network traffic anomaly detection, network security operation, system security assessment and the like. The endogenous safety system constructs an endogenous safety system of an information system based on a biological nervous system from the perspective of bionics. Compared with the existing intelligent safety research, the method has the difference that the 'endogenous safety' fuses a human body bionic system, immunity, artificial intelligence and a mobile communication network, a huge amount of sensors are arranged according to the distributed sensing characteristic of a human body nervous system, the change of each part of the system is monitored in real time, a human brain-like safety center is constructed by using an artificial intelligence method, and a decision is made through summarized information, so that the external invasion is reasonably controlled, and the internal invasion is immune-type defended. The bionic body is used for sensing deployment of a network, learning and decision of a human-like brain, moderate counteraction of external invasion, marking and defense of internal invasion, and is an endogenous safety mechanism based on bionic immunity. According to the concept of the bionic immunity, basic theoretical problems such as constructing a bionic immune system highly fused with an information system, designing a distributed fine-grained threat sensing and countering mechanism, designing a multilayer transmission network parallelly fused with the information system, establishing an access control mechanism which cannot be duplicated, constructing a safety center with learning, processing and decision-making capabilities by using an artificial intelligence method and the like are overcome.
In an endogenous safety system, one of the key links is autonomous attack detection, and attack identification and problem positioning in each independent safety region are realized. However, new attacks are layered on the network and these attacks are more covert and intelligent than previous attacks. The traditional method based on feature matching cannot cope with more and more complex attack means, so that many researchers use machine learning algorithms to carry out attack detection. However, most of the existing attack detection based on machine learning is a supervised learning method, and a large amount of attack data is needed as a priori knowledge to learn a model, which causes two serious problems: 1. the manual marking of data consumes a great deal of time and energy, and the quality of the manual marking of data cannot be guaranteed; 2. the supervised learning method needs to train a model according to attack data, and in practical application, attack means are infinite, and if a new attack does not appear in the training data, the supervised learning method may not detect the attack. Therefore, the invention provides an unsupervised autonomous attack detection technology in an endogenous safety system, which does not need the prior knowledge of attack data and can realize the attack identification and positioning functions in the endogenous safety system by self-learning the network state in the normal state.
Disclosure of Invention
The invention aims to provide an unsupervised autonomous attack detection method in an endogenous security system, overcomes the defects of the prior art, and solves the problems that the traditional feature matching-based method is low in recognition rate, the machine learning-based method is lack of reliable pre-annotated data and cannot cope with unknown attacks.
The purpose of the invention can be realized by the following technical scheme:
an unsupervised autonomous attack detection method in an endogenous security system, comprising the steps of:
s1, acquiring data based on a huge sensor in an endogenous safety system;
s2, constructing a dynamic graph model based on nodes and logic relations in the target network, wherein each node in the graph comprises a node attribute feature, and each logic relation comprises a relation attribute feature; the attribute graph variation self-coding comprises two modules: an encoder and a generator. Detecting an anomaly on the graph according to the change of the node attribute in the attribute graph model and the change of the edge between the nodes, and detecting the anomaly of the target network based on the anomaly of the graph;
s3, the graph encoder module encodes the graph model into a hidden vector; to capture the structure information of the graph and the attribute characteristics of the nodes; the decoder comprises three stages of initialization, node updating and attribute graph reconstruction;
s4, initializing the representation vector of each node in the attribute graph into a hidden vector by the graph decoder, and selecting one node as an initialization subgraph;
s5, selecting a target node based on the subgraph, updating the subgraph, and iteratively updating the representation vector of each node in the subgraph to generate a new representation vector; continuously generating edges between nodes through two strategies of node selection and node expansion, wherein in each step, firstly, a node is selected from a queue, whether an edge exists between the node and other nodes is judged, and the process is repeated until the attribute graph is constructed;
s6, calculating a loss function, calculating the reconstruction probability of the normal image model only by using the normal data training image variation self-coding model, calculating the reconstruction accuracy P, and judging that the target network is attacked if the reconstruction accuracy P is smaller than a threshold T;
and S7, positioning the attacked area in a graph matching mode for the condition of being attacked, and returning the judgment result.
Furthermore, the detection method realizes the functions of attack detection and positioning firstly by self-learning the network state in the normal state.
Further, the sensor types corresponding to step S1 include one or more of a network flow sensor, a file access sensor, an upload and download sensor, a website access sensor, a mail monitoring sensor, a program monitoring sensor, an electric quantity consumption sensor, a CPU temperature sensor, a log sensor, and a memory usage sensor.
Further, the node attribute in step S2 includes one or more of duration, byte number, packet content, source computer, source port, destination computer, destination port, protocol, file access record, upload/download record, web page access, mail access, program monitoring, power consumption record, CPU temperature change record, log access record, log content, and memory usage record.
Further, the sub-graph update in step S5 includes a sub-graph node update and a node representation vector update.
Further, the step S5 of updating the sub-graph nodes one by one is completed according to two functions: target selection and neighbor expansion; selecting a target node to be accessed through a target, selecting edges to be added from the target node through neighbor expansion, and inserting all nodes into a queue by a target selection function according to a breadth-first traversal method; and the neighbor expansion function selects neighbors for the target node according to the whole graph information and the information of each node, and updates the queue.
Further, in the step S5, the representation vector of the node is updated by sequentially traversing each node according to a breadth-first traversal manner and updating the representation vector of the node.
Further, the attribute graph generation method in step S5 adopts a teacher-shaping learning method: after prediction at each step, the predicted values are replaced with the real nodes and attributes of the attribute graph, so that each step of the graph model makes predictions according to the correct history.
Further, in the step S6, the normal data is used to train the model and determine the threshold T, and for the unknown graph model, if the reconstruction accuracy is lower than the threshold T, it is determined that the graph model is attacked.
An unsupervised autonomous attack detection device in an endogenous security system comprises a data acquisition and distribution module, a data analysis module, an attribute graph construction module, a decision-making judgment module and a cooperative processing module.
The data acquisition and distribution module is used for identifying data transmitted by external equipment and distributing the data to the target processing unit, the whole data acquisition process is located in a safe area, and information triggering, exchange and multilayer conduction are carried out through a mass sensor.
The mass sensor comprises one or more of a network flow sensor, a file access sensor, an uploading and downloading sensor, a website access sensor, an email monitoring sensor, a program monitoring sensor, an electric quantity consumption sensor, a CPU temperature sensor, a log sensor and a memory occupation sensor.
The data analysis module is used for analyzing the operation result data output by the target processing unit and generating unique data characteristics.
The attribute graph building module comprises an encoder module, a generator module and a decoder module, and the decoder module comprises an initialization module, a node updating module, an intelligent decision module and an attribute graph reconstruction module; and the intelligent decision module is used for performing mimicry decision on the data characteristics of the nodes by the mimicry decision strategy.
The decision-making module is used for judging the attacked condition, positioning the attacked area in a graph matching mode and returning a judgment result.
The cooperative processing module is used for cooperative processing of decision making and is used for processing data after decision making and sending the data to external equipment, and the monitoring processor monitors feedback information in real time.
The invention has the beneficial effects that:
1. the autonomous attack detection method constructs relevant nodes in a target network into an attribute graph model, and provides a graph variation self-coding model for detecting whether attack behaviors exist in the network, compared with the traditional feature matching method, the method does not need to manually define features, and has strong sensing capability, judgment capability and self-adaptive capability; compared with the existing machine learning and deep learning methods, the method does not need a pre-annotated abnormal data set, and solves the problem of lack of reliable pre-annotated data sets;
2. the autonomous attack detection method realizes attack detection by simulating a normal network structure, and solves the problem that unmarked abnormal behaviors are difficult to detect by a machine learning method with a label.
Drawings
The invention will be further described with reference to the accompanying drawings.
FIG. 1 is a schematic overview of the endogenous security architecture of the present invention;
FIG. 2 is a schematic diagram showing the relationship between the detection method and other modules of the endogenous security system according to the present invention;
FIG. 3 is a flow chart of the overall implementation of the detection method of the present invention;
FIG. 4 is a flowchart of an implementation of the attribute map reconstruction module in the detection method of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An unsupervised autonomous attack detection method in an endogenous security system, as shown in fig. 1, attacks on a target node are implemented by applying a perturbation to a certain node on a graph, so as to change some attribute characteristics of the node.
As shown in fig. 1, the change to the system structure is to change the overall structure of the graphs by applying perturbation to the overall structure of the graphs, where perturbation to the graph structure includes adding edges, subtracting edges, adding nodes, deleting nodes, and the like.
Given a pair-attribute graph G (V, A, X), where V ∈ V represents a node in the graph, A ∈ {0,1} N×M Representing the neighboring relationship between vertices for a adjacency matrix, X ∈ {0,1} N×D Is a feature matrix, x v ∈{0,1} D A D-dimensional feature vector representing node v.
As shown in fig. 4, the detection model system framework includes three modules: initializing, updating nodes and selecting edges; for confrontation sample G P This project begins with G P The representation vector of each node in (a) is initialized to its feature attribute vector, i.e. the
Figure GDA0003867297740000061
For each stage t of the graph generated in FIG. 4, the representation vector of each node in the graph is iteratively updated to generate a new representation vector
Figure GDA0003867297740000062
In the edge selection stage, edges between nodes are continuously generated through two strategies of node selection and node expansion.
In each step of edge selection, the graph noise reduction model firstly selects a node in the queue, judges whether an edge exists between the node and other nodes, and repeats the process continuously until the graph construction is completed.
When a new graph is generated, the project is to update the nodes thereof based on the graph convolutional Neural network (GCN), and a target node i and a representation vector h thereof are given i By integrating the representation vectors of its neighbor nodes, its single-layer forward propagation is of the form:
Figure GDA0003867297740000063
where α is ij ∈[0,1]0 indicates that node j is not a neighbor of node i, 1 indicates that j is a neighbor of node i, α ij =1,w is a parameter that needs to be learned.
Firstly, selecting a node v from a queue, and then selecting a node u with an edge between the selected node v and the node v; for every two nodes u and v, a feature vector is constructed
Figure GDA0003867297740000071
Wherein d is u,v Is the Euclidean distance between v and u, H t Global features representing the graph, which are used to generate the distribution of candidate edges:
Figure GDA0003867297740000072
here, W t And U t Is a ginseng needing to be learnedAnd (4) counting.
The loss between the original image and the reconstructed image includes two parts of attribute loss and structural loss, wherein the attribute loss is determined by calculating the L1 norm of the denoised sample and the original image, and the structural loss is realized by maximizing the probability of restoring all edges.
Figure GDA0003867297740000073
Wherein, the first and the second end of the pipe are connected with each other,
Figure GDA0003867297740000074
representing the true attributes and true edges of the nodes in the graph, respectively.
An unsupervised autonomous attack detection device in an endogenous security system comprises a data acquisition and distribution module, a data analysis module, an attribute graph construction module, a decision-making judgment module and a cooperative processing module.
The data acquisition and distribution module is used for identifying data transmitted by external equipment and distributing the data to the target processing unit, the whole data acquisition process is located in a safe area, and information triggering, exchange and multilayer transmission are carried out through a huge amount of sensors.
The mass sensors comprise a network flow sensor, a file access sensor, an uploading and downloading sensor, a website access sensor, a mail monitoring sensor, a program monitoring sensor, an electric quantity consumption sensor, a CPU temperature sensor, a log sensor and a memory occupation sensor.
And the data analysis module is used for analyzing the operation result data output by the target processing unit and generating unique data characteristics.
The attribute graph building module comprises an encoder module, a generator module and a decoder module, and the decoder module comprises an initialization module, a node updating module, an intelligent decision module and an attribute graph reconstruction module.
The intelligent decision module is used for performing mimicry decision on the data characteristics of the nodes by the mimicry decision strategy;
and the decision-making module is used for judging the attacked situation, positioning the attacked area in a graph matching mode and returning a judgment result.
And the cooperative processing module is used for cooperative processing of decision making and is used for processing data after decision making and sending the data to external equipment, and the monitoring processor monitors feedback information in real time.
In the description herein, references to the description of "one embodiment," "an example," "a specific example" or the like are intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The foregoing shows and describes the general principles, essential features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed.

Claims (10)

1. An unsupervised autonomous attack detection method in an endogenous security system, the detection method comprising:
s1, acquiring data based on a huge sensor in an endogenous safety system;
s2, constructing a dynamic graph model based on nodes and logic relations in the target network, wherein each node in the graph comprises a node attribute feature, and each logic relation comprises a relation attribute feature;
s3, the graph encoder module encodes the graph model into a hidden vector;
s4, initializing the representation vector of each node in the attribute graph into a hidden vector by the graph decoder, and selecting one node as an initialization sub-graph;
s5, selecting a target node based on the subgraph, updating the subgraph, and iteratively updating the representation vector of each node in the subgraph to generate a new representation vector; continuously generating edges between nodes through two strategies of node selection and node expansion, wherein in each step, firstly, a node is selected from a queue, whether an edge exists between the node and other nodes is judged, and the process is repeated until the attribute graph is constructed;
s6, calculating a reconstruction accuracy P, and if the reconstruction accuracy P is smaller than a threshold value T, judging that the target network is attacked;
and S7, positioning the attacked area in a graph matching mode for the condition of being attacked, and returning the judgment result.
2. The method of claim 1, wherein the method of detecting attacks is capable of detecting attacks and locating attacks by self-learning the network status in normal status.
3. The method according to claim 1, wherein the sensor types corresponding to step S1 include one or more of a network traffic sensor, a file access sensor, an upload/download sensor, a website access sensor, a mail monitoring sensor, a program monitoring sensor, a power consumption sensor, a CPU temperature sensor, a log sensor, and a memory usage sensor.
4. The method of claim 1, wherein the node attributes in step S2 include one or more of duration, number of bytes, packet content, source computer, source port, destination computer, destination port, protocol, file access record, upload/download record, web page access, mail access, program monitor, power consumption record, CPU temperature change record, log access record, log content, and memory usage record.
5. The method of claim 1, wherein the sub-graph update in step S5 comprises sub-graph node update and node representation vector update.
6. The method of claim 1, wherein the updating of each sub-graph node in step S5 is performed according to two functions: target selection and neighbor expansion; selecting a target node to be accessed through a target, selecting edges to be added from the target node through neighbor expansion, and inserting all nodes into a queue by a target selection function according to a breadth-first traversal method; and the neighbor expansion function selects neighbors for the target node according to the whole graph information and the information of each node, and updates the queue.
7. The method according to claim 1, wherein the updating of the expression vectors of the nodes in step S5 sequentially traverses the nodes and updates the expression vectors of the nodes according to a breadth-first traversal method.
8. The unsupervised autonomous attack detection method in an endogenous security system according to claim 1, wherein the attribute map generation method in the step S5 adopts a teacher-forcing learning method: after prediction at each step, the predicted values are replaced with the real nodes and attributes of the attribute graph, so that each step of the graph model makes predictions according to the correct history.
9. The method as claimed in claim 1, wherein the step S6 is performed by training a model with normal data and determining a threshold T, and for the unknown graph model, if the reconstruction accuracy is lower than the threshold T, the graph model is determined to be under attack.
10. An unsupervised autonomous attack detection apparatus in an endogenous security system, the unsupervised autonomous attack detection apparatus comprising one or more processors:
a memory for storing one or more programs;
when executed by one or more of said processors, cause the one or more processors to implement the unsupervised, autonomous attack detection method in an endogenous security system of any one of claims 1-9;
the detection device comprises a data acquisition and distribution module, a data analysis module, an attribute graph construction module, a decision-making judgment module and a cooperative processing module;
the data acquisition and distribution module is used for identifying data transmitted by external equipment and distributing the data to the target processing unit, the whole data acquisition process is positioned in a safe area, and information triggering, exchange and multilayer transmission are carried out through a huge sensor;
the mass sensor comprises one or more of a network flow sensor, a file access sensor, an uploading and downloading sensor, a website access sensor, an email monitoring sensor, a program monitoring sensor, an electric quantity consumption sensor, a CPU temperature sensor, a log sensor and a memory occupation sensor;
the data analysis module is used for analyzing the operation result data output by the target processing unit and generating unique data characteristics;
the attribute graph building module comprises an encoder module, a generator module and a decoder module, and the decoder module comprises an initialization module, a node updating module, an intelligent decision module and an attribute graph reconstruction module; the intelligent decision module is used for performing mimicry decision on the data characteristics of the nodes by the mimicry decision strategy;
the decision-making module is used for determining the attacked condition, positioning the attacked area in a graph matching mode and returning a determination result;
and the cooperative processing module is used for performing cooperative processing of decision making and is used for processing data after decision making and sending the data to external equipment, and the monitoring processor processes monitoring feedback information in real time.
CN202011633568.9A 2020-12-31 2020-12-31 Unsupervised autonomous attack detection method in endogenous security system Active CN112822184B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011633568.9A CN112822184B (en) 2020-12-31 2020-12-31 Unsupervised autonomous attack detection method in endogenous security system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011633568.9A CN112822184B (en) 2020-12-31 2020-12-31 Unsupervised autonomous attack detection method in endogenous security system

Publications (2)

Publication Number Publication Date
CN112822184A CN112822184A (en) 2021-05-18
CN112822184B true CN112822184B (en) 2023-04-07

Family

ID=75856570

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011633568.9A Active CN112822184B (en) 2020-12-31 2020-12-31 Unsupervised autonomous attack detection method in endogenous security system

Country Status (1)

Country Link
CN (1) CN112822184B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20240064161A1 (en) * 2022-08-19 2024-02-22 Nec Laboratories America, Inc. Log anomaly detection using temporal-attentive dynamic graphs
CN117540883B (en) * 2024-01-10 2024-04-09 山东鲁轻安全评价技术有限公司 AI-based security risk identification analysis system and method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110691100B (en) * 2019-10-28 2021-07-06 中国科学技术大学 Hierarchical network attack identification and unknown attack detection method based on deep learning
CN111507385B (en) * 2020-04-08 2023-04-28 中国农业科学院农业信息研究所 Extensible network attack behavior classification method
CN111935143B (en) * 2020-08-10 2021-11-26 武汉思普崚技术有限公司 Method and system for visualizing attack defense strategy
CN111818101B (en) * 2020-09-09 2020-12-11 平安国际智慧城市科技股份有限公司 Network security detection method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN112822184A (en) 2021-05-18

Similar Documents

Publication Publication Date Title
Muna et al. Identification of malicious activities in industrial internet of things based on deep learning models
Ravi et al. Recurrent deep learning-based feature fusion ensemble meta-classifier approach for intelligent network intrusion detection system
EP3620990A1 (en) Capturing network dynamics using dynamic graph representation learning
CN109214599B (en) Method for predicting link of complex network
CN112822184B (en) Unsupervised autonomous attack detection method in endogenous security system
TW202001693A (en) Method of characterizing activity in an artificial nerual network, and system comprising one or more computers operable to perform said method
CN112153002B (en) Alarm information analysis method, device, computer equipment and storage medium
Wei et al. An RNN-based delay-guaranteed monitoring framework in underwater wireless sensor networks
CN112949702B (en) Network malicious encryption traffic identification method and system
CN111431819A (en) Network traffic classification method and device based on serialized protocol flow characteristics
CN112966714A (en) Edge time sequence data anomaly detection and network programmable control method
US20240028744A1 (en) Dynamic network risk predicting method based on a graph neural network
CN114863226A (en) Network physical system intrusion detection method
Berghout et al. EL-NAHL: Exploring labels autoencoding in augmented hidden layers of feedforward neural networks for cybersecurity in smart grids
Ray et al. Contemporary developments and technologies in deep learning–based IoT
CN113761525A (en) Intelligent intrusion detection method and system based on federal learning
Xu et al. Traversing the local polytopes of relu neural networks
CN116916317A (en) Invasion detection method based on white shark and random forest
CN114915446A (en) Intelligent network security detection method fusing priori knowledge
CN115758337A (en) Back door real-time monitoring method based on timing diagram convolutional network, electronic equipment and medium
CN112104684A (en) Platform management system based on Internet of things
Qiu et al. Abnormal Traffic Detection Method of Internet of Things Based on Deep Learning in Edge Computing Environment
Arul Jothi et al. Rule-Based Outlier Detection with a Modified Variational AutoEncoder for Enhancing Data Accuracy in Wireless Sensor Networks
Guo An Overview of Adversarial Sample Attacks and Defenses for Graph Neural Networks
CN117857168A (en) Network attack detection method, device and processor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant